![]() In addition, the spokesperson confirmed that a fix “will be fully rolled out by the end of the week.” Google also provided the following link for anyone wanting more information on DKIM. To keep users safe, we are requiring senders to use the more robust DomainKeys Identified Mail (DKIM) authentication standard to qualify for Brand Indicators for Message Identification (blue checkmark) status,” explained a Google spokesperson ![]() Google needs a fix ASAP.Ġ6/06 Update: Google’s press team has contacted me to provide further details about the Gmail verification hack: “This issue stems from a third-party security vulnerability allowing bad actors to appear more trustworthy than they are. There has been a highly critical response to this vulnerability from the security community, with questions raised about how this was allowed to happen and how poorly implemented the Gmail verification method is. Yes, this means Apple Mail and Fastmail users must also be vigilant, though they don’t run the same verified checkmark system as Gmail. Apple Mail + Fastmail: vulnerable with a dangerous treatment.Fastmail: vulnerable but also supports Gravatar and uses the same treatment for both so the impact is minimal.Yahoo: only attaches BIMI treatment to bulk sends with high reputation.iCloud: properly checks that DKIM matches the From domain.Rudenberg also published results for BIMI implementations on other major email services, stating: This means that any shared or misconfigured mail server in a BIMI-enabled domain's SPF records can be a vector for sending spoofed messages with the full BIMI ✅ treatment in Gmail.īIMI is worse than the status quo, as it enables super-powered phishing based on a single misconfiguration in the extremely complicated and fragile stack that is email.” In a blog post, debugger Jonathan Rudenberg revealed he was able to replicate the hack on Gmail, explaining: “Gmail's BIMI implementation only requires SPF to match, the DKIM signature can be from any domain. Stay vigilant.Ġ6/05 Update: security researchers are beginning to understand how Gmail’s checkmark verification system is being tricked and how it applies to other email services. That said, until Google has a fix, the Gmail checkmark verification system remains broken and is being used by hackers and spammers to trick you with the exact thing it was meant to combat. Immense credit goes to Plummer, not just for his discovery, but for the lengths he went to to make Google acknowledge the problem. Plummer highlights that Google has now listed the flaw as a ‘P1’ (top priority) fix, which is currently “in progress.” We'll keep you posted with our assessment and the direction that this issue takes. We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! Thus we are reopening this and the appropriate team is taking a closer look at what is going on. “After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Plummer reports that Google initially dismissed his discovery as “intended behaviour” before his tweets about it went viral, and the company acknowledged the error.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |